Kaspersky CyberTrace

Step 4 (optional). Importing Kaspersky CyberTrace Service rules to RSA NetWitness

27 February 2024

ID 167810

The Kaspersky CyberTrace distribution kit contains the CyberTrace_Rules.zip file in the integration/rsa/additional_elements directory. This file contains a set of rules, which you can use to create reports, alerts, and dashboards.

To import the Kaspersky CyberTrace Service rules to RSA NetWitness:

  1. On the RSA NetWitness menu, select Dashboard > Reports.

    In RSA NetWitness 11, you select Monitor > Reports instead.

  2. Click the Settings split button (Settings split button in RSA NetWitness.) and select Import.

    Settings (gear) split button → Import menu item in RSA NetWitness.

    Importing rules

  3. Choose the CyberTrace_Rules.zip file.
  4. In the Import Rule window, select the Rule check box and the List check box.

    If you import the CyberTrace_Rules.zip file for the first time, you may leave these check boxes cleared.

  5. Click the Import button.

    Import Rule window in RSA NetWitness.

    Importing Kaspersky CyberTrace Service rules

The rules imported to RSA NetWitness are listed in the table below.

Rule

Description

CyberTrace Detect Botnet

Selects those detection events from Kaspersky CyberTrace Service that have the Botnet category.

The following fields are selected:

  • url
  • checksum
  • ip.src
  • user.src
  • event.source

CyberTrace Detect Malware Hash

Selects hash detection events from Kaspersky CyberTrace Service.

The following fields are selected:

  • virusname
  • checksum
  • ip.src
  • user.src
  • event.source

CyberTrace Detect Malware IP

Selects IP address detection events from Kaspersky CyberTrace Service.

The following fields are selected:

  • virusname
  • ip.dst
  • ip.src
  • user.src
  • event.source

CyberTrace Detect Malware URL

Selects URL detection events from Kaspersky CyberTrace Service.

The following fields are selected:

  • virusname
  • url
  • ip.src
  • user.src
  • event.source

CyberTrace Detect Stat

Selects all the categories involved in the detection process.

The following fields are selected:

  • virusname

CyberTrace Service events

Selects service events from Kaspersky CyberTrace Service.

The following fields are selected:

  • action
  • msg

CyberTrace Top 10 IP

Selects Top 10 detected IP addresses.

The following fields are selected:

  • kl.detected

CyberTrace Top 10 URL

Selects Top 10 detected URLs.

The following fields are selected:

  • url

CyberTrace Top 10 Hash

Selects Top 10 detected hashes.

The following fields are selected:

  • checksum

CyberTrace Detected users

Calculates the number of detection events per user.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.